[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSEC Readiness
- Subject: DNSSEC Readiness
- From: marka at isc.org (Mark Andrews)
- Date: Tue, 16 Feb 2010 11:16:20 +1100
- In-reply-to: Your message of "Mon, 15 Feb 2010 10:14:54 -0800." <[email protected]>
- References: <[email protected]>
In message <4B798F1E.6080403 at knownelement.com>, Charles N Wyble writes:
> All,
>
> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?
>
> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :) Ideally the more we can
> stave off issues through proactive testing/fixing the better.
Make the following queries from your recursive servers. If you
force the query source in the nameserver add a "-b <address>" to
match.
dig -4 ns . +norec @l.root-servers.net
dig -4 ns . +dnssec +cd +norec @l.root-servers.net
dig -4 any . +dnssec +cd +norec @l.root-servers.net
dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc
If any of them fail you need to fix your middleware and / or firewall
on the box.
The first +dnssec query checks that unfragmented DNSSEC responses
over 512 bytes are passed. I get 801 bytes today when I run this
test.
The second +dnssec query checks that fragmented DNSSEC responses are
passed. I get 1906 bytes today when I run this test.
The third +dnsec query checks that DNSSEC responses over TCP are
passed.
The non +dnssec query is a control query to check that you can reach
l.root-servers.net.
Repeat for IPv6.
dig -6 ns . +norec @l.root-servers.net
dig -6 ns . +dnssec +cd +norec @l.root-servers.net
dig -6 any . +dnssec +cd +norec @l.root-servers.net
dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
Mark
> - --
> Charles N Wyble
> Linux Systems Engineer
> charles at knownelement.com (818)280-7059
> http://www.knownelement.com
> Unless agreed upon, assume everything in this e-mail might be blogged.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkt5jxoACgkQJmrRtQ6zKE94eQCghyDn96HG2g7G1MDogj/yy1WB
> GFQAn22n3a48Mt9ssiwfyqN1Ne0N+X6L
> =Xt79
> -----END PGP SIGNATURE-----
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org